From 147c36020af5a709eddb429f94acbfe6d03cee27 Mon Sep 17 00:00:00 2001
From: Chris Nesbitt-Smith <chris@cns.me.uk>
Date: Fri, 22 May 2026 10:12:13 +0100
Subject: [PATCH] fix(ci-lease): use per-account S3 staging bucket for CFN
 deploy

CFN requires templates >51KB to be uploaded to S3 first. Several
scenarios (council-chatbot, simply-readable, ai-contact-centre) exceed
this. Council-chatbot dispatch just hit:

  Templates with a size greater than 51,200 bytes must be deployed
  via an S3 Bucket. Please add the --s3-bucket parameter

Create a per-account staging bucket on demand (ndx-try-ci-cfn-stage-{acct})
because the leased pool account is wiped between leases. mb is idempotent
on existing buckets; SSE-AES256 added because S3 default since 2023.
---
 .github/workflows/scenario-ci.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/scenario-ci.yml b/.github/workflows/scenario-ci.yml
index fff6fd84..6162acc6 100644
--- a/.github/workflows/scenario-ci.yml
+++ b/.github/workflows/scenario-ci.yml
@@ -117,12 +117,29 @@ jobs:
         env:
           SCENARIO: ${{ inputs.scenario }}
           TEMPLATE: ${{ steps.paths.outputs.template_path }}
+          ACCOUNT_ID: ${{ steps.lease.outputs.account_id }}
         run: |
           set -euo pipefail
           STACK_NAME="ndx-try-${SCENARIO}"
+          # CFN requires templates >51KB to be staged in S3. Several
+          # scenarios (council-chatbot, simply-readable, ai-contact-centre)
+          # exceed this. Create a per-account staging bucket on demand —
+          # the leased pool account is wiped between leases so we can't
+          # rely on a pre-existing bucket. mb is idempotent on existing
+          # buckets and the bucket is freshly created each lease cycle.
+          BUCKET="ndx-try-ci-cfn-stage-${ACCOUNT_ID}"
+          aws s3api create-bucket \
+            --bucket "$BUCKET" \
+            --region us-east-1 \
+            >/dev/null 2>&1 || true
+          aws s3api put-bucket-encryption \
+            --bucket "$BUCKET" \
+            --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}' \
+            >/dev/null 2>&1 || true
           aws cloudformation deploy \
             --stack-name "$STACK_NAME" \
             --template-file "$TEMPLATE" \
+            --s3-bucket "$BUCKET" \
             --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
             --no-fail-on-empty-changeset \
             --tags Project=ndx-try Scenario="$SCENARIO" RunId="${{ github.run_id }}"